[Summary]Recently, new malicious code that performs pharming of internet banking using VPN tunneling has been discovered. It uses encrypted communication via VPN, and it steals financial information(ex: certificate).

[Details]

1. intt.exe1) It decrypts a specific string by a single bite XOR operation.

[Decryption logic]

[The string that is used for decoding: x0c39pe]

[Before the decoding]

[After the decoding]

2) It creates a specific service using the decrypted string.[Service name: V3Safer]

3) It decrypts strings using same way of [1-1].[Before the decoding/After the decoding]

[Before the decoding/After the decoding]

4) It creates registry key and values related with a service using the decoding string.

5) It reads binary(named 0x65) of resource section and then saves it as a file in specific path.[Reading the resource section]

6) It decrypts a specific string by a single bite XOR operation.[Decryption logic]

[The string that is used for decoding: sdf3xdi]

[Before the decoding/After the decoding]

7) It creates a specific service using the decrypted string.

8) It starts service of V3Safer.

2. V3Safe32.dll1) It checks status of a service and then creates a thread using a specific service name.